^ I can verify that this is true for the Bitwarden browser plugin.
One situation where this doesn't work and you must be very careful is when using the mobile app. You unlock the app and copy-paste your credentials into your mobile browser; it doesn't detect anything. This means you must still manually verify that tge site you are using is legit.
I'm not sure if this is the case for other password managers' mobile apps or not.
@opie
I didn't know that. That's a pretty big deal, and I haven't seen any of the U2F key makers crow sky it.
How exactly are they validating the servers? Simply comparing fingerprints to a database maintained by the U2F company?
when you add a service to to the key, it stores the server identity...so unless you're phished as your setting up the key for the service, it'l never allow you to authenticate to a fake server
under the hood, I don't really know what crypto stuffs it's doing...guess I should read up on that before I promote it, eh...
@opie
Oh, that's really cool.
I wasn't really asking about the crypto stuff. That would likely be a bit over my head anyway.
yeah, so basically, when I setup my onlykey to do U2F with google, the onlykey stores that it's enabled to do U2F with account[.]google[.]com (or whatever it is), and I think there's a key exchange between the two...then when I actually use the key to authenticate it has to find that server making the request in its list of keys or it'll fail (I think...this is what I vaguely remember from reading about it)
@voltronic
this is the power of U2F; if it would ever be supported by anything...U2F keys validate the identity of the server prior to submitting credentials...maybe some day...
<sigh>